William Barlow sued IBM and AT&T in federal court in New York under the False Claims Act’s qui tam provisions, alleging both companies concealed data breaches by APT 10, a Chinese state-linked hacking group, to protect their federal government contracts. Bloomberg first reported the suit, filed in 2020 and unsealed this week after the Justice Department declined to intervene.
A March 2017 warning from Five Eyes intelligence agencies prompted an internal IBM investigation that concluded APT 10 potentially breached its core network more than 56,000 times between 2013 and 2016. IBM couldn’t fully investigate because it hadn’t kept network access logs, a basic security practice. The DOJ had indicted two APT 10 members in 2018, with then-FBI Director Christopher Wray calling their targets a “Who’s Who of the global economy.”
The alleged cover-up reaches two IBM subsidiaries. Barlow, who served as IBM’s VP of threat intelligence until August 2019, said Trusteer, a cybersecurity startup IBM acquired in 2013, was breached in 2018. Truven, a healthcare data company IBM bought in 2016, was breached multiple times post-acquisition. In both cases, IBM allegedly failed to investigate or disclose. Nearly 400 accounts and almost 200 systems across 18 countries were compromised, per the complaint.
IBM is a major federal cybersecurity vendor. The FCA exposure turns on whether it made false security representations to win or renew those contracts while aware of the breaches. DOJ’s decision to pass doesn’t foreclose that theory; Barlow can proceed as relator.
IBM told TechCrunch it’s “confident that our actions followed the letter of the law.” Barlow’s attorney says they’re “looking forward to aggressively litigating the matter.” The case remains pending.
James Okafor